Overview
qrie monitors multiple AWS accounts from a centralized QOP (Qrie On-Premises) account
Account management involves:
- •Registering new AWS accounts to be monitored
- •Running initial inventory scans for new accounts
- •Viewing account status and last scan times
- •Removing accounts from monitoring
Adding New Accounts
Register a new AWS account for qrie to monitor
Steps to add accounts:
- 1Navigate to Management page
- 2Click Add Accounts button at bottom of accounts list
- 3Paste one or more 12-digit AWS account IDs (one per line, comma, or space-separated)
- 4Accounts are added with Pending status
Bootstrap Required
After adding accounts, you must deploy a CloudFormation stack in each customer account to enable monitoring. Click the info button (ℹ️) next to any pending account for detailed instructions.
Bootstrap Process:
Deploy CloudFormation stack to enable monitoring:
- 1Click info button (ℹ️) next to pending account
- 2Click Quick Launch (Pre-filled) button - opens AWS CloudFormation console
- 3Review parameters (pre-filled with your QOP account details)
- 4Click Create Stack - deploys IAM roles and EventBridge rules
- 5Return to qrie UI and click refresh button (↻) next to account
- 6Status changes to Active and account metadata is fetched
CloudFormation Deploy: 2-3 minutes
Inventory scan starts automatically after bootstrap verification
What the CloudFormation stack creates:
- •IAM Role: QrieReadOnly-{AccountId} with SecurityAudit managed policy for read-only access
- •EventBridge Rules: Forward CloudTrail management events (EC2, S3, IAM) to QOP account
- •IAM Role for Events: QrieEventsToSqs-{AccountId}-{Region} with permissions to send to QOP SQS queue
After bootstrap completes:
- •Inventory scan runs automatically (5-15 minutes)
- •All active policies evaluate against new account resources
- •Findings appear on Findings page
- •Real-time drift detection begins via EventBridge
Viewing Account Status
Check which accounts are being monitored and their scan status
Dashboard View:
The Dashboard shows:
- •Total number of monitored accounts
- •Last inventory scan timestamp
- •Drift detection status
Inventory View:
The Inventory page allows you to:
- •Filter resources by account ID
- •See resource counts per account
- •View last seen timestamps for resources
Findings View:
The Findings page shows:
- •Security findings per account
- •Filter by account to see account-specific issues
Removing Accounts
Stop monitoring an AWS account
Steps to remove accounts:
- 1Navigate to Management page
- 2Select one or more accounts using checkboxes
- 3Click Remove (N) button that appears
- 4Confirm deletion in dialog
Permanent Deletion
Removing an account permanently deletes all associated data: account record, inventory resources, and security findings. This action cannot be undone.
What happens when you remove an account:
- •Account record deleted from qrie_accounts table
- •All inventory resources for this account deleted from qrie_resources table
- •All security findings for this account deleted from qrie_findings table
- •New events from this account are ignored
Bulk removal:
You can select multiple accounts and remove them all at once. The confirmation dialog will show the list of accounts to be removed. This is useful when decommissioning multiple accounts or cleaning up test accounts.
Scheduled Scans (Anti-Entropy)
Automatic scans that detect drift and configuration changes
Weekly Inventory Scan:
Schedule: Saturday 00:00 UTC
Purpose: Full inventory refresh across all accounts and services
Scan Type: anti-entropy (updates drift metrics)
Duration: 10-30 minutes depending on total resource count
Daily Policy Scan:
Schedule: Daily at 04:00 UTC
Purpose: Re-evaluate all resources against active policies
Scan Type: anti-entropy (updates drift metrics)
Duration: 5-15 minutes depending on policy count and resources
Drift Detection
The dashboard monitors these scheduled scans. If inventory scan is older than 8 days or policy scan is older than 26 hours, drift is detected and flagged on the dashboard.
Best Practices
Bootstrap New Accounts
Always run a bootstrap scan immediately after adding a new account to establish baseline and avoid drift false positives.
Monitor Drift
Check the dashboard regularly for drift detection alerts. Investigate if scheduled scans are failing.
Document Accounts
Keep a record of which accounts are monitored, their purpose (prod/dev/test), and any special scope configurations.
Test First
Add dev/test accounts first to verify EventBridge rules and IAM roles are configured correctly before adding production accounts.
Future Features
Coming soon to qrie
•Account Health Dashboard: Per-account metrics, scan history, and compliance scores
•CloudFormation StackSets: Deploy bootstrap stacks across multiple accounts simultaneously
•Account Groups: Organize accounts by environment, team, or business unit
•Selective Policy Scope: Apply policies to specific accounts or account groups